[
https://issues.apache.org/jira/browse/CASSANDRA-3278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
George updated CASSANDRA-3278:
------------------------------
Attachment: cassandra-3278-cache.txt
cassandra-3278-nocache.txt
I wasn't happy with reading the keystore/trusstore files and doing the cipher
suites' filtering for each socket creation so I ended up creating two patches:
* cassandra-3278-nocache.txt: Does the filtering, the down side that the
filtering is done for each socket that's created.
* cassandra-3278-cache.txt: Caches the SSLContext along with the supported
cipher suites for server and non-server sockets. The down side is that changing
the keystore/truststore requires a restart of the node.
I don't have enough information to decide which version is preferable, I leave
that to you.
Thanks,
George
> SSLFactory should not enable cipher suites that aren't supported
> ----------------------------------------------------------------
>
> Key: CASSANDRA-3278
> URL: https://issues.apache.org/jira/browse/CASSANDRA-3278
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Affects Versions: 0.8.4, 0.8.5, 0.8.6, 1.0.0
> Environment: OpenJDK on debian squeeze
> Reporter: George
> Priority: Minor
> Fix For: 0.8.7
>
> Attachments: cassandra-3278-cache.txt, cassandra-3278-nocache.txt
>
>
> The socket creation (server or otherwise) in SSLFactory.java calls
> [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])]
> with the values specified in EncryptionOptions.java:
> {code}
> public String[] cipherSuites = {
> "TLS_RSA_WITH_AES_128_CBC_SHA",
> "TLS_RSA_WITH_AES_256_CBC_SHA"
> };
> {code}
> The call to
> [setEnabledCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setEnabledCipherSuites(java.lang.String\[\])]
> fails on systems that don't have [Java Cryptography Extension (JCE)
> Unlimited Strength Jurisdiction Policy Files
> 6|http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html]
> because AES256 is not supported.
> To avoid installing the unlimited strength policy file the code in
> SSLFactory.java should call
> [getSupportedCipherSuites|http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#getSupportedCipherSuites()]
> to find out which of the suites specified are supported.
> Thanks,
> George
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
